Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-51124

Trust Server Certificate not honoured for build failure messages

    XMLWordPrintable

Details

    Description

      I've configured rocketchat notifier with the option "Trust Server Certificate" set, and the test connection works, giving the message
      "you're all set on [domain]" in my rocket chat channel.
      I've configured the rocketchat plugin for the build in question and checked to be notified on all event types, however no message is received and in the logs there is the message:
      "Could not send rocket message"

      I updated the relevant log message to include the actual error, and reloaded the plugin which now gives:

      Build completed. Checking for rocket notifiers
      May 04, 2018 9:00:14 AM INFO jenkins.plugins.rocketchatnotifier.ActiveNotifier completed
      Could not send rocket message: Please check if the server API domain:2015/api/v1/login is correct: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

      It appears that the test is not checking for a certificate, but to actually send a message it still is.

      Attachments

        Activity

          the next release will have some more logging methods. Post logs back once new version is released

          mreinhardt Martin Reinhardt added a comment - the next release will have some more logging methods. Post logs back once new version is released

          Still hitting this

          Jul 05, 2018 11:18:44 AM INFO jenkins.plugins.rocketchatnotifier.RocketChatNotifier prebuild Invoking Started... Jul 05, 2018 11:18:44 AM INFO jenkins.plugins.rocketchatnotifier.rocket.RocketChatClientImpl Creating new instance for rocket https://myrocketchatinternalwebsite.com (trustSSL: false) Jul 05, 2018 11:18:44 AM SEVERE jenkins.plugins.rocketchatnotifier.RocketClientWebhookImpl publish I/O error error during publishing message sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)

          jdileonardo Julian Di Leonardo added a comment - Still hitting this Jul 05 , 2018 11 : 18 : 44 AM INFO jenkins.plugins.rocketchatnotifier.RocketChatNotifier prebuild Invoking Started... Jul 05 , 2018 11 : 18 : 44 AM INFO jenkins.plugins.rocketchatnotifier.rocket.RocketChatClientImpl Creating new instance for rocket https: //myrocketchatinternalwebsite.com (trustSSL: false) Jul 05 , 2018 11 : 18 : 44 AM SEVERE jenkins.plugins.rocketchatnotifier.RocketClientWebhookImpl publish I/O error error during publishing message sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java: 141 ) at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java: 126 ) at java.security.cert.CertPathBuilder.build(CertPathBuilder.java: 280 ) at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java: 382 )
          jdileonardo Julian Di Leonardo added a comment - ping mreinhardt

          sorry, but having no idea why it's not working and dont have time to investigate further ...

          mreinhardt Martin Reinhardt added a comment - sorry, but having no idea why it's not working and dont have time to investigate further ...

          I have also recently encountered this bug. Happens with a self-hosted rocketchat instance with a self-signed cert. A workaround is to import the cert into the java keystore on the jenkins host, but it does seem like the "Trust server certificate" setting is not honoured for jobs, only for test connections.,

          mdaswani Mayank Daswani added a comment - I have also recently encountered this bug. Happens with a self-hosted rocketchat instance with a self-signed cert. A workaround is to import the cert into the java keystore on the jenkins host, but it does seem like the "Trust server certificate" setting is not honoured for jobs, only for test connections.,
          lasselindqvist Lasse Lindqvist added a comment - Maybe because trustSSL is used only in one branch here? https://github.com/jenkinsci/rocketchatnotifier-plugin/blob/develop/src/main/java/jenkins/plugins/rocketchatnotifier/rocket/RocketChatClientCallBuilder.java#L95  
          mreinhardt Martin Reinhardt added a comment - that's wrong, it's also in the master: https://github.com/jenkinsci/rocketchatnotifier-plugin/blob/master/src/main/java/jenkins/plugins/rocketchatnotifier/rocket/RocketChatClientCallBuilder.java#L96

          Sorry, I was a bit unclear. What I meant was that for example https://github.com/jenkinsci/rocketchatnotifier-plugin/blob/master/src/main/java/jenkins/plugins/rocketchatnotifier/rocket/RocketChatClientCallBuilder.java#L89

          Unirest.setHttpClient(clientBuilder.build());

          does not seem to be using the parameter.

          lasselindqvist Lasse Lindqvist added a comment - Sorry, I was a bit unclear. What I meant was that for example https://github.com/jenkinsci/rocketchatnotifier-plugin/blob/master/src/main/java/jenkins/plugins/rocketchatnotifier/rocket/RocketChatClientCallBuilder.java#L89 Unirest.setHttpClient(clientBuilder.build()); does not seem to be using the parameter.

          fixed in develop branch.
          Will be corrected in the next release

          mreinhardt Martin Reinhardt added a comment - fixed in develop branch. Will be corrected in the next release

          Fixed in 1.3.1

          mreinhardt Martin Reinhardt added a comment - Fixed in 1.3.1

          mark_hardwick how do you updated the relevant log message to include the actual error ? Because at the moment I have the same error "Could not send rocket message"  in jenkins log without additional information. 
          PLugin version 1.3.2

          metaun Konstantin Titor added a comment - mark_hardwick how do you updated the relevant log message to include the actual error ? Because at the moment I have the same error "Could not send rocket message"  in jenkins log without additional information.  PLugin version 1.3.2

          I've reopened this issue because I have the same error with the latest version  of Jenkins and Rocket.Chat plugin

          metaun Konstantin Titor added a comment - I've reopened this issue because I have the same error with the latest version  of Jenkins and Rocket.Chat plugin
          gaebl Gaël Barbier added a comment - - edited

          We have the same issue in 1.4.1.
          With an HTTPS instance of Rocket Chat with a self-signed certificate and with username/password auth (not webhook token).
          "Test Connection" is fine with "Trust Server Certificate" checked.
          But with the build notifier fails.

          Build completed. Checking for rocket notifiers
          janv. 28, 2019 2:49:44 PM INFOS jenkins.plugins.rocketchatnotifier.rocket.RocketChatClientImpl
          Creating new instance for rocket https://rocket****** (trustSSL: false)
          janv. 28, 2019 2:49:44 PM GRAVE jenkins.plugins.rocketchatnotifier.RocketClientWebhookImpl publish
          I/O error error during publishing message sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:145) at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:131) at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382) Caused: sun.security.validator.ValidatorException: PKIX path building failed at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387) at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) at sun.security.validator.Validator.validate(Validator.java:260) at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1460) Caused: javax.net.ssl.SSLHandshakeException at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1937) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1478) at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:212) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979) at sun.security.ssl.Handshaker.process_record(Handshaker.java:914) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1050) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1363) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1391) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1375) at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:396) at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:355) at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142) at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:373) at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:381) at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:237) at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:185) at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89) at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:111) at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:108) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56) at com.mashape.unirest.http.HttpClientHelper.request(HttpClientHelper.java:138) Caused: com.mashape.unirest.http.exceptions.UnirestException at com.mashape.unirest.http.HttpClientHelper.request(HttpClientHelper.java:143) at com.mashape.unirest.request.BaseRequest.asString(BaseRequest.java:56) at jenkins.plugins.rocketchatnotifier.rocket.RocketChatClientCallBuilder.buildGetCall(RocketChatClientCallBuilder.java:148) Caused: jenkins.plugins.rocketchatnotifier.rocket.errorhandling.RocketClientException at jenkins.plugins.rocketchatnotifier.rocket.RocketChatClientCallBuilder.buildGetCall(RocketChatClientCallBuilder.java:150) at jenkins.plugins.rocketchatnotifier.rocket.RocketChatClientCallBuilder.buildCall(RocketChatClientCallBuilder.java:126) at jenkins.plugins.rocketchatnotifier.rocket.RocketChatClientCallBuilder.buildCall(RocketChatClientCallBuilder.java:111) at jenkins.plugins.rocketchatnotifier.rocket.RocketChatClientImpl.getInfo(RocketChatClientImpl.java:101) at jenkins.plugins.rocketchatnotifier.rocket.RocketChatClientImpl.sendSingleMessage(RocketChatClientImpl.java:151) at jenkins.plugins.rocketchatnotifier.rocket.RocketChatClientImpl.send(RocketChatClientImpl.java:130) at jenkins.plugins.rocketchatnotifier.rocket.RocketChatClientImpl.send(RocketChatClientImpl.java:123) at jenkins.plugins.rocketchatnotifier.rocket.RocketChatClientImpl.send(RocketChatClientImpl.java:117) at jenkins.plugins.rocketchatnotifier.RocketClientWebhookImpl.publish(RocketClientWebhookImpl.java:37) at jenkins.plugins.rocketchatnotifier.ActiveNotifier.completed(ActiveNotifier.java:114) at jenkins.plugins.rocketchatnotifier.RocketChatNotifier.perform(RocketChatNotifier.java:367) at hudson.tasks.BuildStepMonitor$1.perform(BuildStepMonitor.java:20) at hudson.model.AbstractBuild$AbstractBuildExecution.perform(AbstractBuild.java:736) at hudson.model.AbstractBuild$AbstractBuildExecution.performAllBuildSteps(AbstractBuild.java:682) at hudson.model.Build$BuildExecution.post2(Build.java:186) at hudson.model.AbstractBuild$AbstractBuildExecution.post(AbstractBuild.java:627) at hudson.model.Run.execute(Run.java:1762) at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43) at hudson.model.ResourceController.execute(ResourceController.java:97) at hudson.model.Executor.run(Executor.java:421)

          gaebl Gaël Barbier added a comment - - edited We have the same issue in 1.4.1. With an HTTPS instance of Rocket Chat with a self-signed certificate and with username/password auth (not webhook token). "Test Connection" is fine with "Trust Server Certificate" checked. But with the build notifier fails. Build completed. Checking for rocket notifiers janv. 28, 2019 2:49:44 PM INFOS jenkins.plugins.rocketchatnotifier.rocket.RocketChatClientImpl Creating new instance for rocket https://rocket****** (trustSSL: false) janv. 28, 2019 2:49:44 PM GRAVE jenkins.plugins.rocketchatnotifier.RocketClientWebhookImpl publish I/O error error during publishing message sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:145) at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:131) at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382) Caused: sun.security.validator.ValidatorException: PKIX path building failed at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387) at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) at sun.security.validator.Validator.validate(Validator.java:260) at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1460) Caused: javax.net.ssl.SSLHandshakeException at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1937) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1478) at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:212) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979) at sun.security.ssl.Handshaker.process_record(Handshaker.java:914) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1050) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1363) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1391) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1375) at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:396) at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:355) at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142) at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:373) at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:381) at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:237) at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:185) at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89) at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:111) at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:108) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56) at com.mashape.unirest.http.HttpClientHelper.request(HttpClientHelper.java:138) Caused: com.mashape.unirest.http.exceptions.UnirestException at com.mashape.unirest.http.HttpClientHelper.request(HttpClientHelper.java:143) at com.mashape.unirest.request.BaseRequest.asString(BaseRequest.java:56) at jenkins.plugins.rocketchatnotifier.rocket.RocketChatClientCallBuilder.buildGetCall(RocketChatClientCallBuilder.java:148) Caused: jenkins.plugins.rocketchatnotifier.rocket.errorhandling.RocketClientException at jenkins.plugins.rocketchatnotifier.rocket.RocketChatClientCallBuilder.buildGetCall(RocketChatClientCallBuilder.java:150) at jenkins.plugins.rocketchatnotifier.rocket.RocketChatClientCallBuilder.buildCall(RocketChatClientCallBuilder.java:126) at jenkins.plugins.rocketchatnotifier.rocket.RocketChatClientCallBuilder.buildCall(RocketChatClientCallBuilder.java:111) at jenkins.plugins.rocketchatnotifier.rocket.RocketChatClientImpl.getInfo(RocketChatClientImpl.java:101) at jenkins.plugins.rocketchatnotifier.rocket.RocketChatClientImpl.sendSingleMessage(RocketChatClientImpl.java:151) at jenkins.plugins.rocketchatnotifier.rocket.RocketChatClientImpl.send(RocketChatClientImpl.java:130) at jenkins.plugins.rocketchatnotifier.rocket.RocketChatClientImpl.send(RocketChatClientImpl.java:123) at jenkins.plugins.rocketchatnotifier.rocket.RocketChatClientImpl.send(RocketChatClientImpl.java:117) at jenkins.plugins.rocketchatnotifier.RocketClientWebhookImpl.publish(RocketClientWebhookImpl.java:37) at jenkins.plugins.rocketchatnotifier.ActiveNotifier.completed(ActiveNotifier.java:114) at jenkins.plugins.rocketchatnotifier.RocketChatNotifier.perform(RocketChatNotifier.java:367) at hudson.tasks.BuildStepMonitor$1.perform(BuildStepMonitor.java:20) at hudson.model.AbstractBuild$AbstractBuildExecution.perform(AbstractBuild.java:736) at hudson.model.AbstractBuild$AbstractBuildExecution.performAllBuildSteps(AbstractBuild.java:682) at hudson.model.Build$BuildExecution.post2(Build.java:186) at hudson.model.AbstractBuild$AbstractBuildExecution.post(AbstractBuild.java:627) at hudson.model.Run.execute(Run.java:1762) at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:43) at hudson.model.ResourceController.execute(ResourceController.java:97) at hudson.model.Executor.run(Executor.java:421)

          and the logs says you have trustSSL disabled so any self-signed cert will not get through

          mreinhardt Martin Reinhardt added a comment - and the logs says you have trustSSL disabled so any self-signed cert will not get through

          People

            mreinhardt Martin Reinhardt
            mark_hardwick mark hardwick
            Votes:
            2 Vote for this issue
            Watchers:
            8 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: